CVE-2026-40498
Unauthenticated Access and DoS via Exposed MD5 Hash in FreeScout
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.213 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40498 affects FreeScout versions prior to 1.8.213 and involves an authentication bypass and information disclosure vulnerability in the SystemController, specifically via the /system/cron endpoint.
The vulnerability arises because several sensitive administrative routes, including /system/cron/{hash}, /system/status, and /system/tools, have authentication middleware disabled, allowing unauthenticated attackers to access them.
The /system/cron endpoint uses a static MD5 hash generated from the APP_KEY concatenated with 'web_cron_hash' as an access control mechanism. However, this hash is exposed in HTTP responses and server logs, making it easily discoverable.
Since the hash is often transmitted via GET requests, it can be leaked through browser history, proxy logs, or server logs.
The lack of authentication enforcement combined with no rate limiting enables attackers to repeatedly trigger resource-intensive background cron tasks, leading to potential Denial of Service (DoS) through resource exhaustion.
Proof of concept includes scripts and manual verification showing unauthorized access to sensitive system information such as full internal file paths, PHP configurations, directory permissions, and Artisan command logs.
Attackers can also perform brute-force attacks against the /system/cron/{hash} endpoint due to the absence of rate limiting or IP blocking, potentially discovering the valid cron hash and gaining full access to administrative cron functions and sensitive internal data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access sensitive server information, including full internal file paths, PHP configurations, and diagnostic data, which constitutes information disclosure.
Exposure of such sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.
Additionally, the lack of authentication and rate limiting enables unauthorized access to administrative tools and potential denial of service attacks, undermining system integrity and availability requirements often mandated by these standards.
Therefore, this vulnerability compromises confidentiality, integrity, and availability aspects critical to compliance with common security and privacy regulations.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Information Disclosure: Exposure of internal server paths, configurations, and diagnostic data that should be restricted to administrators.
- Broken Access Control: Unauthorized access to admin-only tools and status pages.
- Denial of Service (DoS): Attackers can repeatedly trigger heavy cron jobs without any rate limiting, causing resource exhaustion and potentially making the server unavailable.
- Full Path Disclosure: Revealing full internal file paths can facilitate further attacks such as Local File Inclusion (LFI).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting unauthenticated access to sensitive administrative endpoints such as /system/cron/{hash}, /system/status, and /system/tools. If these endpoints are accessible without authentication, the system is vulnerable.
A proof of concept includes using a Python script or manual HTTP requests to access these endpoints and check for exposure of sensitive information like full internal file paths, PHP configurations, directory permissions, and Artisan command logs.
Manual verification can also be done by opening an incognito browser session and navigating to these endpoints to see if detailed server diagnostics are revealed.
- Use curl or wget commands to access the endpoints without authentication, for example: curl http://yourserver/system/cron/<hash>
- Check server logs and proxy logs for exposure of the static MD5 hash used in the /system/cron endpoint, as it is often transmitted via GET requests.
- Attempt brute-force attacks against the /system/cron/{hash} endpoint using common wordlists (e.g., RockYou) to see if the hash can be discovered due to lack of rate limiting.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing authentication on all sensitive routes by removing exceptions for /system/status and /system/tools from the authentication middleware.
Restrict access to the /system/cron endpoint to authorized IP addresses, such as localhost, to prevent unauthorized external access.
Disable detailed command output in HTTP responses for cron tasks to avoid leaking sensitive information.
Implement rate limiting on these endpoints to prevent brute-force attacks and resource exhaustion (Denial of Service) caused by repeated triggering of heavy background tasks.
Upgrade FreeScout to version 1.8.213 or later, which includes fixes such as replacing the weak MD5 hash with a more secure HMAC-SHA512 hash and improving response handling to reduce information leakage.